Collaborate Disseminate
IBM X-Force researchers have discovered a new campaign targeting organizations with fake business emails that deliver NetWire remote-access Trojan (RAT) variants.
The post New NetWire RAT Campaigns Use IMG Attachments to Deliver Malware Targeting Enterprise Users appeared first on Security Intelligence.
Intrusion Truth is back. The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are recruiting attackers working on Beijing’s behalf. By identifying job postings seeking offensive cybersecurity skills, the group wrote, they found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting to Intrusion Truth that employers actually are trying to recruit hackers for advanced persistent threat groups. “We know that these companies are a front for APT activity,” states the blog post published Thursday. This blog post is the first from Intrusion Truth since July 2019, when the group reported that a Chinese APT had offered to sell stolen data. Intrusion Truth emerged in […]
The post Latest ‘Intrusion Truth’ data dump peels back layers on Chinese front companies appeared first on CyberScoop.
Continue reading Latest ‘Intrusion Truth’ data dump peels back layers on Chinese front companies
A suspected Russian hacking campaign that’s resulted in attacks against Ukrainian military and government agencies also has affected journalists, law enforcement and nongovernmental organizations, according to new findings. Gamaredon, a hacking group that has been active since 2013 and mostly haunted Ukrainian government targets, has broadened its reach within that country, the threat intelligence company Anomali said in research published Dec. 5. Anomali did not identify any Gamaredon targets by name, other than the Ministry of Foreign Affairs, and said it remains unclear if attackers successfully have breached the targeted people and organizations. The attempted attacks were ongoing as of Dec. 6 after beginning in mid-September, Anomali said. If Gamaredon is behind the hacking attempts, as Anomali has assessed, the campaign represents an expansion of the group’s interests. The advanced persistent threat (APT) group, which Fortinet previously reported has “strong Russian ties,” based on a language analysis, has sought to breach Ukrainian public […]
The post Possible APT attacks against Ukraine expand to target journalists, researchers say appeared first on CyberScoop.
Continue reading Possible APT attacks against Ukraine expand to target journalists, researchers say
Clues about a hacking group that carried out attacks against targets in countries including Syria, Iran and Russia were included in files leaked by a mysterious group known as the Shadow Brokers, according to new findings. Researchers from the security vendor Kaspersky published a report Tuesday detailing an advanced persistent threat (APT) group the company has dubbed DarkUniverse. Documents published in 2017 by the Shadow Brokers — an elusive group that publicly disseminated NSA hacking tools — included a script that checked for other hacking groups lurking in a compromised system. DarkUniverse was among the groups the script could check for. The DarkUniverse group hit victims in Afghanistan, Tanzania, Ethiopia, Belarus and the United Arab Emirates, along with more common targets like Russia, Iran and Syria. All told, the APT group breached “around” 20 victims ranging from military agencies to private sector organizations like telecommunication firms, and medical institutions. “We believe […]
The post Shadow Brokers data dump tipped researchers off to a mysterious APT dubbed DarkUniverse appeared first on CyberScoop.
One of the Kremlin-linked hacking groups that breached the Democratic National Committee in 2016 has remained active in the years that followed, even if it’s been less visible. Cozy Bear, also known as APT29 and the Dukes, began using different malicious software and new hacking techniques after 2016, according to findings published Thursday by the Slovakian security firm ESET. There wasn’t much public evidence of the group’s activity, but researchers say it did not go quiet after interfering in the U.S. presidential election. The hackers targeted U.S. think tanks in 2017, defense contractors in 2018 and three European countries’ ministries of foreign affairs. (The U.S. security firm FireEye suggested in November that Cozy Bear was showing signs of activity.) “Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” ESET said in its report. “The Dukes were able […]
The post Cozy Bear kept moving after 2016 election, ESET says appeared first on CyberScoop.
Continue reading Cozy Bear kept moving after 2016 election, ESET says
International hacking groups are exploiting vulnerabilities in virtual private network technologies to steal user credentials and monitor sensitive traffic, the United Kingdom’s National Cyber Security Centre said, amid recent warnings that the Chinese government has used similar tactics to collect intelligence. The NCSC, an offshoot of Britain’s intelligence agency, the GCHQ, said on Oct. 2 hackers are leveraging outdated versions of Palo Alto Networks, Fortinet and Pulse Secure products. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency published its own advisory on the vulnerabilities, which attackers could use to take over an affected system, on Oct. 4. Neither warning speculates on who may be behind the attack, though the alerts come after Microsoft in August said Manganese, a Chinese hacking collective also known as APT5, was focusing attacks on Pulse Secure and Fortinet products. Pulse Secure, Palo Alto and Fortinet have each released security updates for all of […]
The post APT groups are exploiting outdated VPNs to spy on international targets, U.K. and U.S. warn appeared first on CyberScoop.
A set of possibly state-sponsored hackers has targeted a much longer list of U.S. utility-sector organizations than previously documented, according to cybersecurity company Proofpoint, underscoring the steady interest that well-resourced hackers have in U.S. critical infrastructure. From April to August, the unidentified hackers have targeted at least 17 entities in the sector, Proofpoint said. The tally jumped from the three utilities the company reported on in August after a fresh batch of phishing emails was found. Proofpoint is unsure who is behind the spearphishing attempts, but described the activity as an “advanced persistent threat” campaign — a label used to denote state sponsorship. Proofpoint has said there are similarities between macros used by the attackers and activity last year from APT10, a group tied to China’s civilian intelligence agency. The link between the two, however, is far from conclusive. “Our analysts did not observe additional code overlap or infrastructure reuse […]
The post New research shows more utility companies are being targeted by phishing emails appeared first on CyberScoop.
Continue reading New research shows more utility companies are being targeted by phishing emails
Reading Time: 4 minutes Companies are constrained by insufficient time and resources to detect and respond to advanced persistent threats (APTs). How can SOCs fill the gaps and keep advanced attackers out of their networks?
The post What Are Advanced Persistent Threats (APTs), and How Do You Find Them? appeared first on Security Intelligence.
Continue reading What Are Advanced Persistent Threats (APTs), and How Do You Find Them?
Hackers with possible ties to an advanced persistent threat (APT) group are trying to steal usernames and passwords of Chinese government officials as part of an apparent cyber-espionage effort, according to findings provided exclusively to CyberScoop prior to scheduled publication Thursday. Researchers from the threat intelligence company Anomali have uncovered malicious websites with registrations dating back to November 2018 that impersonate email login pages from the Chinese Ministry of Foreign Affairs; China’s National Development and Reform Commission, an economic management agency under the State Council; and the National Aero-Technology Import and Export Corporation, a Chinese state-owned defense company. While it’s not clear who exactly is behind the effort, CyberScoop independently verified the findings with three external threat intelligence practitioners, two of whom said with confidence the attack resembles a nation-state effort. All three spoke only on the condition of anonymity because they were not authorized to speak to reporters. Upon […]
The post A phishing campaign with nation-state hallmarks is targeting Chinese government agencies appeared first on CyberScoop.
Hackers that may be state-sponsored tried to spearphish three companies in the U.S. utility sector last month, cybersecurity company Proofpoint said Thursday. The malware-laced emails were sent from July 19 to July 25 and appeared to impersonate a national association that facilitates engineering exams, Proofpoint researchers said. A Microsoft Word document attached to the emails contained a remote access trojan capable of deleting files, taking screenshots, rebooting a machine, and deleting itself from an infected network, among other attributes. The researchers did not say if the hackers were able to compromise the utility companies. A person familiar the matter told CyberScoop that at least one of the three organizations was able to block and mitigate the activity. That person did not have knowledge of the other two organizations that were targeted. It is also unclear who is behind the phishing operation. There are similarities between the macros used in this […]
The post A potentially state-sponsored hacking campaign tried to phish U.S. utilities in July, researchers say appeared first on CyberScoop.